Tuesday, January 27, 2009
The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869
In total, 16 applications were tested. I've tried to cover all the major platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.
The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document: http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf
Therefore, I will not respond to emails for vendors. You have the information, fix your scanners!
Friday, January 9, 2009
Wednesday, January 7, 2009
I was watching the MacRumors live feed yesterday and I was lucky enough to see the hack live.
It was kind of funny, I was following the updates and at some point this text appeared:
STEVE JOBS JUST DIED:
A few seconds later the guys from MacRumors figured out that something happened and posted a retraction. And then the hacker posted another funny message:
Oh, wait, sorry. Steve did die. Our condolences.
And after that things started to get out of control. A lot of people started to post a lot of crap. You can see a screen shot here.
Anyway, I was curious what happened and started searching on Google. I was thinking they found an SQL injection or guessed their passwords or something like that.
However, things were much more simpler (as they usually are). Some guy/guys from 4chan found a directory listing for the admin directory.
As if this wasn't bad enough, this directory was not properly configured and was showing the source code of PHP files instead of executing them.
More than that, you could read the htpasswd file (named .passwd) with all the password hashes :)
Wait, there is more :)
They didn't even need those passwords, because if you read some of the files from that directory you could get the URL of the administrative interface. From there you could post live updates and stuff. And guess what: this administrative interface wasn't password protected. Now, that's just funny :)
Here is the response from arn, the guy that runs MacRumors.
The cause of the security breach is best described as "user error" due to admin files being inadvertently mirrored across multiple server instances with incorrect permissions. This allowed php code to be displayed rather than executed, which was clearly a "bad thing". Our actual admin panel is password protected, of course.